Security

• Goal

  OpenBSD believes in strong security. Our aspiration is to be NUMBER ONE in the industry for security (if we are not already there). Our open software development model permits us to take a more uncompromising view towards increased security than Sun, SGI, IBM, HP, or other vendors are able to. We can make changes the vendors would not make. Also, since OpenBSD is exported with cryptography, we are able to take cryptographic approaches towards fixing security problems.

• Full Disclosure

  Like many readers of the BUGTRAQ mailing list, we believe in full disclosure of security problems. In the operating system arena, we were probably the first to embrace the concept. Many vendors, even of free software, still try to hide issues from their users.

  Security information moves very fast in cracker circles. On the other hand, our experience is that coding and releasing of proper security fixes typically requires about an hour of work -- very fast fix turnaround is possible. Thus we think that full disclosure helps the people who really care about security.

• Audit Process

  Our security auditing team typically has between six and twelve members who continue to search for and fix new security holes. We have been auditing since the summer of 1996. The process we follow to increase security is simply a comprehensive file-by-file analysis of every critical software component. We are not so much looking for security holes, as we are looking for basic software bugs, and if years later someone discovers the problem used to be a security issue, and we fixed it because it was just a bug, well, all the better. Flaws have been found in just about every area of the system. Entire new classes of security problems have been found during our audit, and often source code which had been audited earlier needs re-auditing with these new flaws in mind. Code often gets audited multiple times, and by multiple people with different auditing skills.

  Some members of our security auditing team worked for Secure Networks, the company that made the industry's premier network security scanning software package Ballista (Secure Networks got purchased by Network Associates, Ballista got renamed to Cybercop Scanner, and well...) That company did a lot of security research, and thus fit in well with the OpenBSD stance. OpenBSD passed Ballista's tests with flying colours since day 1.

  Another facet of our security auditing process is its proactiveness. In most cases we have found that the determination of exploitability is not an issue. During our ongoing auditing process we find many bugs, and endeavor to fix them even though exploitability is not proven. We fix the bug, and we move on to find other bugs to fix. We have fixed many simple and obvious careless programming errors in code and only months later discovered that the problems were in fact exploitable. (Or, more likely someone on BUGTRAQ would report that other operating systems were vulnerable to a `newly discovered problem', and then it would be discovered that OpenBSD had been fixed in a previous release). In other cases we have been saved from full exploitability of complex step-by-step attacks because we had fixed one of the intermediate steps. An example of where we managed such a success is the lpd advisory that Secure Networks put out.

• New Technologies

  As we audit source code, we often invent new ways of solving problems. Sometimes these ideas have been used before in some random application written somewhere, but perhaps not taken to the degree that we do.

  • strlcpy() and strlcat()
  • Memory protection purify
    • W^X
    • .rodata segment
    • Guard pages
    • Randomized malloc()
    • Randomized mmap()
    • atexit() and stdio protection
  • Privilege separation
  • Privilege revocation
  • Chroot jailing
  • New uids
  • ProPolice
  • ... and others

• The Reward

  Our proactive auditing process has really paid off. Statements like ``This problem was fixed in OpenBSD about 6 months ago'' have become commonplace in security forums like BUGTRAQ.

  The most intense part of our security auditing happened immediately before the OpenBSD 2.0 release and during the 2.0->2.1 transition, over the last third of 1996 and first half of 1997. Thousands (yes, thousands) of security issues were fixed rapidly over this year-long period; bugs like the standard buffer overflows, protocol implementation weaknesses, information gathering, and filesystem races. Hence most of the security problems that we encountered were fixed before our 2.1 release, and then a far smaller number needed fixing for our 2.2 release. We do not find as many problems anymore, it is simply a case of diminishing returns. Recently the security problems we find and fix tend to be significantly more obscure or complicated. Still we will persist for a number of reasons:

  • Occasionally we find a simple problem we missed earlier. Doh!
  • Security is like an arms race; the best attackers will continue to search for more complicated exploits, so we will too.
  • Finding and fixing subtle flaws in complicated software is a lot of fun.

  The auditing process is not over yet, and as you can see we continue to find and fix new security flaws.

• "Secure by Default"

  To ensure that novice users of OpenBSD do not need to become security experts overnight (a viewpoint which other vendors seem to have), we ship the operating system in a Secure by Default mode. All non-essential services are disabled. As the user/administrator becomes more familiar with the system, he will discover that he has to enable daemons and other parts of the system. During the process of learning how to enable a new service, the novice is more likely to learn of security considerations.

  This is in stark contrast to the increasing number of systems that ship with NFS, mountd, web servers, and various other services enabled by default, creating instantaneous security problems for their users within minutes after their first install.

• Cryptography

  And of course, since the OpenBSD project is based in Canada, it is possible for us to integrate cryptography. For more information, read the page outlining what we have done with cryptography.

• Advisories

• OpenBSD 4.0 Security Advisories

  These are the OpenBSD 4.0 advisories -- all these problems are solved in OpenBSD current and the patch branch.
  • Apr 23, 2007: IPv6 type 0 route headers can be used to mount a DoS attack against hosts and networks.
  • Apr 4, 2007: Multiple vulnerabilities in X.Org.
  • Mar 7, 2007: Incorrect mbuf handling for ICMP6 packets.
  • Jan 3, 2007: Insufficient validation in vga(4) may allow an attacker to gain root privileges on some i386 systems.
  • Nov 19, 2006: ld.so(1) fails to properly sanitize the environment.
  • Nov 4, 2006: Fix for an integer overflow in systrace(4)'s STRIOCREPLACE support, found by Chris Evans.
  • Nov 4, 2006: Several problems have been found in OpenSSL.
  • Nov 4, 2006: httpd(8) does not sanitize the Expect header from an HTTP request when it is reflected back in an error message, which might allow cross-site scripting (XSS) style attacks.

• OpenBSD 3.9 Security Advisories

  These are the OpenBSD 3.9 advisories -- all these problems are solved in OpenBSD current and the patch branch.
  • Apr 23, 2007: IPv6 type 0 route headers can be used to mount a DoS attack against hosts and networks.
  • Apr 4, 2007: Multiple vulnerabilities in X.Org.
  • Mar 7, 2007: Incorrect mbuf handling for ICMP6 packets.
  • Jan 3, 2007: Insufficient validation in vga(4) may allow an attacker to gain root privileges on some i386 systems.
  • Nov 19, 2006: ld.so(1) fails to properly sanitize the environment.
  • Oct 12, 2006: Fix 2 security bugs found in OpenSSH.
  • Oct 7, 2006: Fix for an integer overflow in systrace(4)'s STRIOCREPLACE support, found by Chris Evans.
  • Oct 7, 2006: Several problems have been found in OpenSSL.
  • Oct 7, 2006: httpd(8) does not sanitize the Expect header from an HTTP request when it is reflected back in an error message, which might allow cross-site scripting (XSS) style attacks.
  • Sep 8, 2006: Due to incorrect PKCS#1 v1.5 padding validation in OpenSSL, it is possible for an attacker to construct an invalid signature which OpenSSL would accept as a valid PKCS#1 v1.5 signature.
  • Sep 8, 2006: Two Denial of Service issues have been found with BIND.
  • Sep 2, 2006: Due to the failure to correctly validate LCP configuration option lengths, it is possible for an attacker to send LCP packets via an sppp(4) connection causing the kernel to panic.
  • Aug 25, 2006: A problem in isakmpd(8) caused IPsec to run partly without replay protection.
  • Aug 25, 2006: It is possible to cause the kernel to panic when more than the default number of sempahores have been allocated.
  • Aug 25, 2006: Due to an off-by-one error in dhcpd(8) it is possible to cause dhcpd(8) to exit by sending a DHCPDISCOVER packet with a 32-byte client identifier option.
  • Aug 25, 2006: A potential denial of service problem has been found in sendmail.
  • Jul 30, 2006: httpd(8)'s mod_rewrite has a potentially exploitable off-by-one buffer overflow.
  • Jun 15, 2006: A potential denial of service problem has been found in sendmail.
  • May 2, 2006: A buffer overflow exists in the Render extension of the X server.
  • Mar 25, 2006: A race condition has been reported to exist in the handling by sendmail of asynchronous signals.

  OpenBSD 3.8 and earlier releases are not supported anymore. The following paragraphs only list advisories issued while they were maintained; these releases are likely to be affected by the advisories for more recent releases.
  

• OpenBSD 3.8 Security Advisories

  These are the OpenBSD 3.8 advisories -- all these problems are solved in OpenBSD current and the patch branch.
  • Oct 12, 2006: Fix 2 security bugs found in OpenSSH.
  • Oct 7, 2006: Fix for an integer overflow in systrace(4)'s STRIOCREPLACE support, found by Chris Evans.
  • Oct 7, 2006: Several problems have been found in OpenSSL.
  • Oct 7, 2006: httpd(8) does not sanitize the Expect header from an HTTP request when it is reflected back in an error message, which might allow cross-site scripting (XSS) style attacks.
  • Sep 8, 2006: Due to incorrect PKCS#1 v1.5 padding validation in OpenSSL, it is possible for an attacker to construct an invalid signature which OpenSSL would accept as a valid PKCS#1 v1.5 signature.
  • Sep 8, 2006: Two Denial of Service issues have been found with BIND.
  • Sep 2, 2006: Due to the failure to correctly validate LCP configuration option lengths, it is possible for an attacker to send LCP packets via an sppp(4) connection causing the kernel to panic.
  • Aug 25, 2006: A problem in isakmpd(8) caused IPsec to run partly without replay protection.
  • Aug 25, 2006: It is possible to cause the kernel to panic when more than the default number of sempahores have been allocated.
  • Aug 25, 2006: Due to an off-by-one error in dhcpd(8) it is possible to cause dhcpd(8) to exit by sending a DHCPDISCOVER packet with a 32-byte client identifier option.
  • Aug 25, 2006: A potential denial of service problem has been found in sendmail.
  • Jul 30, 2006: httpd(8)'s mod_rewrite has a potentially exploitable off-by-one buffer overflow.
  • Jun 15, 2006: A potential denial of service problem has been found in sendmail.
  • May 2, 2006: A buffer overflow exists in the Render extension of the X server.
  • Mar 25, 2006: A race condition has been reported to exist in the handling by sendmail of asynchronous signals.
  • Feb 12, 2006: Josh Bressers has reported a weakness in OpenSSH caused due to the insecure use of the system(3) function in scp(1) when performing copy operations using filenames that are supplied by the user from the command line.
  • Jan 5, 2006: Do not allow users to trick suid programs into re-opening files via /dev/fd.
  • Jan 5, 2006: A buffer overflow has been found in the Perl interpreter with the sprintf function which may be exploitable under certain conditions.

• OpenBSD 3.7 Security Advisories

  These are the OpenBSD 3.7 advisories -- all these problems are solved in OpenBSD current. The patch branch for 3.7 is no longer being maintained, you should update your machine.
  • May 2, 2006: A buffer overflow exists in the Render extension of the X server.
  • Mar 25, 2006: A race condition has been reported to exist in the handling by sendmail of asynchronous signals.
  • Feb 12, 2006: Josh Bressers has reported a weakness in OpenSSH caused due to the insecure use of the system(3) function in scp(1) when performing copy operations using filenames that are supplied by the user from the command line.
  • Jan 5, 2006: Do not allow users to trick suid programs into re-opening files via /dev/fd.
  • Jan 5, 2006: A buffer overflow has been found in the Perl interpreter with the sprintf function which may be exploitable under certain conditions.
  • Jul 21, 2005: Fix another buffer overflow in the zlib library that may be exploitable.
  • Jul 6, 2005: Fix a buffer overflow in the zlib library that may be exploitable.
  • Jun 20, 2005: Fix a race condition in sudo(8) that could allow a user to run arbitrary commands.
  • Jun 7, 2005: Fix a buffer overflow, memory leaks, and NULL pointer dereference in cvs(1).

• OpenBSD 3.6 Security Advisories

  These are the OpenBSD 3.6 advisories -- all these problems are solved in OpenBSD current. The patch branch for 3.6 is no longer being maintained, you should update your machine.
  • Jul 21, 2005: Fix another buffer overflow in the zlib library that may be exploitable.
  • Jul 6, 2005: Fix a buffer overflow in the zlib library that may be exploitable.
  • Jun 20, 2005: Fix a race condition in sudo(8) that could allow a user to run arbitrary commands.
  • Apr 28, 2005: Fix a buffer overflow, memory leaks, and NULL pointer dereference in cvs(1).
  • Mar 30, 2005: Due to buffer overflows in telnet(1), a malicious server or man-in-the-middle attack could allow execution of arbitrary code with the privileges of the user invoking telnet(1).
  • Mar 16, 2005: More stringent checking should be done in the copy(9) functions to prevent their misuse.
  • Feb 28, 2005: More stringent checking should be done in the copy(9) functions to prevent their misuse.
  • Jan 12, 2005: httpd(8)'s mod_include module fails to properly validate the length of user supplied tag strings prior to copying them to a local buffer, causing a buffer overflow.
  • Dec 14, 2004: On systems running isakmpd(8) it is possible for a local user to cause kernel memory corruption and system panic by setting ipsec(4) credentials on a socket.

• OpenBSD 3.5 Security Advisories

  These are the OpenBSD 3.5 advisories -- all these problems are solved in OpenBSD current. The patch branch for 3.5 is no longer being maintained, you should update your machine.
  • Apr 28, 2005: Fix a buffer overflow, memory leaks, and NULL pointer dereference in cvs(1).
  • Mar 30, 2005: Due to buffer overflows in telnet(1), a malicious server or man-in-the-middle attack could allow execution of arbitrary code with the privileges of the user invoking telnet(1).
  • Mar 16, 2005: More stringent checking should be done in the copy(9) functions to prevent their misuse.
  • Feb 28, 2005: More stringent checking should be done in the copy(9) functions to prevent their misuse.
  • Jan 12, 2005: httpd(8)'s mod_include module fails to properly validate the length of user supplied tag strings prior to copying them to a local buffer, causing a buffer overflow.
  • Dec 14, 2004: On systems running isakmpd(8) it is possible for a local user to cause kernel memory corruption and system panic by setting ipsec(4) credentials on a socket.
  • Sep 20, 2004: Radius-based authentication is vulnerable to spoofed replies.
  • Sep 16, 2004: The Xpm library has vulnerabilities when parsing malicious images.
  • Sep 10, 2004: httpd(8)'s mod_rewrite module can be made to write one zero byte in an arbitrary memory position outside of a char array, causing a DoS or possibly buffer overflows.
  • Jun 12, 2004: Multiple vulnerabilities have been found in httpd(8) / mod_ssl.
  • Jun 10, 2004: isakmpd(8) still has issues with unauthorized SA deletion, an attacker can delete IPsec tunnels at will.
  • Jun 9, 2004: Multiple remote vulnerabilities have been found in the cvs(1) server which can be used by CVS clients to crash or execute arbitrary code on the server.
  • May 30, 2004: kdc(8) performs inadequate checking of request fields, leading to the possibility of principal impersonation from other Kerberos realms if they are trusted with a cross-realm trust.
  • May 26, 2004: xdm(1) ignores the requestPort resource and creates a listening socket regardless of the setting in xdm-config.
  • May 20, 2004: A buffer overflow in the cvs(1) server has been found, which can be used by CVS clients to execute arbitrary code on the server.
  • May 13, 2004: Integer overflow problems were found in procfs, allowing reading of arbitrary kernel memory.
  • May 5, 2004: Pathname validation problems have been found in cvs(1), allowing clients and servers access to files outside the repository or local CVS tree.

• OpenBSD 3.4 Security Advisories

  These are the OpenBSD 3.4 advisories -- all these problems are solved in OpenBSD current. The patch branch for 3.4 is no longer being maintained, you should update your machine.
  • Dec 14, 2004: On systems running isakmpd(8) it is possible for a local user to cause kernel memory corruption and system panic by setting ipsec(4) credentials on a socket.
  • Sep 16, 2004: The Xpm library has vulnerabilities when parsing malicious images.
  • Sep 10, 2004: httpd(8)'s mod_rewrite module can be made to write one zero byte in an arbitrary memory position outside of a char array, causing a DoS or possibly buffer overflows.
  • Jun 12, 2004: Multiple vulnerabilities have been found in httpd(8) / mod_ssl.
  • Jun 10, 2004: isakmpd(8) still has issues with unauthorized SA deletion, an attacker can delete IPsec tunnels at will.
  • Jun 9, 2004: Multiple remote vulnerabilities have been found in the cvs(1) server which can be used by CVS clients to crash or execute arbitrary code on the server.
  • May 30, 2004: kdc(8) performs inadequate checking of request fields, leading to the possibility of principal impersonation from other Kerberos realms if they are trusted with a cross-realm trust.
  • May 20, 2004: A buffer overflow in the cvs(1) server has been found, which can be used by CVS clients to execute arbitrary code on the server.
  • May 13, 2004: Integer overflow problems were found in procfs, allowing reading of arbitrary kernel memory.
  • May 5, 2004: Pathname validation problems have been found in cvs(1), allowing clients and servers access to files outside the repository or local CVS tree.
  • March 17, 2004: A missing check for a NULL-pointer dereference may allow a remote attacker to crash applications using OpenSSL.
  • March 17, 2004: Defects in the payload validation and processing functions of isakmpd have been discovered. An attacker could send malformed ISAKMP messages and cause isakmpd to crash or to loop endlessly.
  • March 13, 2004: Due to a bug in the parsing of Allow/Deny rules for httpd(8)'s access module, using IP addresses without a netmask on big endian 64-bit platforms causes the rules to fail to match.
  • February 8, 2004: An IPv6 MTU handling problem exists that could be used by an attacker to cause a denial of service attack.
  • February 5, 2004: A reference counting bug in shmat(2) could be used to write to kernel memory under certain circumstances.
  • January 13, 2004: Several message handling flaws in isakmpd(8) have been reported by Thomas Walpuski.
  • November 17, 2003: It may be possible for a local user to overrun the stack in compat_ibcs2(8) and cause a kernel panic.
  • November 1, 2003: The use of certain ASN.1 encodings or malformed public keys may allow an attacker to mount a denial of service attack against applications linked with ssl(3).

• OpenBSD 3.3 Security Advisories

  These are the OpenBSD 3.3 advisories -- all these problems are solved in OpenBSD current. The patch branch for 3.3 is no longer being maintained, you should update your machine.
  • May 5, 2004: Pathname validation problems have been found in cvs(1), allowing clients and servers access to files outside the repository or local CVS tree.
  • March 17, 2004: A missing check for a NULL-pointer dereference may allow a remote attacker to crash applications using OpenSSL.
  • March 17, 2004: Defects in the payload validation and processing functions of isakmpd have been discovered. An attacker could send malformed ISAKMP messages and cause isakmpd to crash or to loop endlessly.
  • March 13, 2004: Due to a bug in the parsing of Allow/Deny rules for httpd(8)'s access module, using IP addresses without a netmask on big endian 64-bit platforms causes the rules to fail to match.
  • February 8, 2004: An IPv6 MTU handling problem exists that could be used by an attacker to cause a denial of service attack.
  • February 5, 2004: A reference counting bug in shmat(2) could be used to write to kernel memory under certain circumstances.
  • January 15, 2004: Several message handling flaws in isakmpd(8) have been reported by Thomas Walpuski.
  • November 17, 2003: It may be possible for a local user to execute arbitrary code resulting in escalation of privileges due to a stack overrun in compat_ibcs2(8).
  • October 1, 2003: The use of certain ASN.1 encodings or malformed public keys may allow an attacker to mount a denial of service attack against applications linked with ssl(3).
  • September 24, 2003: Access of freed memory in pf(4) could be used to remotely panic a machine using scrub rules.
  • September 17, 2003: A buffer overflow in the address parsing in sendmail(8) may allow an attacker to gain root privileges.
  • September 16, 2003: OpenSSH versions prior to 3.7 contains a buffer management error that is potentially exploitable.
  • September 10, 2003: Root may be able to reduce the security level by taking advantage of an integer overflow when the semaphore limits are made very large.
  • August 20, 2003: An improper bounds check in the kernel may allow a local user to panic the kernel.
  • August 4, 2003: An off-by-one error exists in the C library function realpath(3) may allow an attacker to gain escalated privileges.

• OpenBSD 3.2 Security Advisories

  These are the OpenBSD 3.2 advisories -- all these problems are solved in OpenBSD current. The patch branch for 3.2 is no longer being maintained, you should update your machine.
  • October 1, 2003: The use of certain ASN.1 encodings or malformed public keys may allow an attacker to mount a denial of service attack against applications linked with ssl(3). This does not affect OpenSSH.
  • September 24, 2003: Access of freed memory in pf(4) could be used to remotely panic a machine using scrub rules.
  • September 17, 2003: A buffer overflow in the address parsing in sendmail(8) may allow an attacker to gain root privileges.
  • September 16, 2003: OpenSSH versions prior to 3.7 contains a buffer management error that is potentially exploitable.
  • August 25, 2003: Fix for a potential security issue in sendmail(8) with respect to DNS maps.
  • August 4, 2003: An off-by-one error exists in the C library function realpath(3) may allow an attacker to gain escalated privileges.
  • March 31, 2003: A buffer overflow in the address parsing in sendmail(8) may allow an attacker to gain root privileges.
  • March 24, 2003: A cryptographic weaknesses in the Kerberos v4 protocol can be exploited on Kerberos v5 as well.
  • March 19, 2003: OpenSSL is vulnerable to an extension of the ``Bleichenbacher'' attack designed by Czech researchers Klima, Pokorny and Rosa.
  • March 18, 2003: Various SSL and TLS operations in OpenSSL are vulnerable to timing attacks.
  • March 5, 2003: A buffer overflow in lprm(1) may allow an attacker to elevate privileges to user daemon..
  • March 3, 2003: A buffer overflow in the envelope comments processing in sendmail(8) may allow an attacker to gain root privileges.
  • February 25, 2003: httpd(8) leaks file inode numbers via ETag header as well as child PIDs in multipart MIME boundary generation. This could lead, for example, to NFS exploitation because it uses inode numbers as part of the file handle.
  • February 22, 2003: In ssl(8) an information leak can occur via timing by performing a MAC computation even if incorrect block cipher padding has been found, this is a countermeasure. Also, check for negative sizes, in allocation routines.
  • January 20, 2003: A double free exists in cvs(1) that could lead to privilege escalation for cvs configurations where the cvs command is run as a privileged user.
  • November 14, 2002: A buffer overflow exists in named(8) that could lead to a remote crash or code execution as user named in a chroot jail.
  • November 6, 2002: A logic error in the pool kernel memory allocator could cause memory corruption in low-memory situations, causing the system to crash.
  • November 6, 2002: An attacker can bypass smrsh(8)'s restrictions and execute arbitrary commands with the privileges of his own account.
  • November 6, 2002: Network bridges running pf with scrubbing enabled could cause mbuf corruption, causing the system to crash.
  • October 21, 2002: A buffer overflow can occur in the kadmind(8) daemon, leading to possible remote crash or exploit.

• OpenBSD 3.1 Security Advisories

  These are the OpenBSD 3.1 advisories -- all these problems are solved in OpenBSD current. The patch branch for 3.1 is no longer being maintained, you should update your machine.
  • March 31, 2003: A buffer overflow in the address parsing in sendmail(8) may allow an attacker to gain root privileges.
  • March 24, 2003: A cryptographic weaknesses in the Kerberos v4 protocol can be exploited on Kerberos v5 as well.
  • March 19, 2003: OpenSSL is vulnerable to an extension of the ``Bleichenbacher'' attack designed by Czech researchers Klima, Pokorny and Rosa.
  • March 18, 2003: Various SSL and TLS operations in OpenSSL are vulnerable to timing attacks.
  • March 4, 2003: A buffer overflow in lprm(1) may allow an attacker to gain root privileges.
  • March 3, 2003: A buffer overflow in the envelope comments processing in sendmail(8) may allow an attacker to gain root privileges.
  • February 23, 2003: In ssl(8) an information leak can occur via timing by performing a MAC computation even if incorrect block cipher padding has been found, this is a countermeasure. Also, check for negative sizes, in allocation routines.
  • January 20, 2003: A double free exists in cvs(1) that could lead to privilege escalation for cvs configurations where the cvs command is run as a privileged user.
  • November 14, 2002: A buffer overflow exists in named(8) that could lead to a remote crash or code execution as user named in a chroot jail.
  • November 6, 2002: Incorrect argument checking in the getitimer(2) system call may allow an attacker to crash the system.
  • November 6, 2002: An attacker can bypass smrsh(8)'s restrictions and execute arbitrary commands with the privileges of his own account.
  • October 21, 2002: A buffer overflow can occur in the kadmind(8) daemon, leading to possible remote crash or exploit.
  • October 2, 2002: Incorrect argument checking in the setitimer(2) system call may allow an attacker to write to kernel memory.
  • August 11, 2002: An insufficient boundary check in the select system call allows an attacker to overwrite kernel memory and execute arbitrary code in kernel context.
  • July 30, 2002: Several remote buffer overflows can occur in the SSL2 server and SSL3 client of the ssl(8) library, as in the ASN.1 parser code in the crypto(3) library, all of them being potentially remotely exploitable.
  • July 29, 2002: A buffer overflow can occur in the xdr_array(3) RPC code, leading to possible remote crash.
  • July 29, 2002: A race condition exists in the pppd(8) daemon which may cause it to alter the file permissions of an arbitrary file.
  • July 5, 2002: Receiving IKE payloads out of sequence can cause isakmpd(8) to crash.
  • June 27, 2002: The kernel would let any user ktrace set[ug]id processes.
  • June 26, 2002: A buffer overflow can occur in the .htaccess parsing code in mod_ssl httpd module, leading to possible remote crash or exploit.
  • June 25, 2002: A potential buffer overflow in the DNS resolver has been found.
  • June 24, 2002: All versions of OpenSSH's sshd between 2.3.1 and 3.3 contain an input validation error that can result in an integer overflow and privilege escalation.
  • June 19, 2002: A buffer overflow can occur during the interpretation of chunked encoding in httpd(8), leading to possible remote crash.
  • May 22, 2002: Under certain conditions, on systems using YP with netgroups in the password database, it is possible that sshd(8) does ACL checks for the requested user name but uses the password database entry of a different user for authentication. This means that denied users might authenticate successfully while permitted users could be locked out.
  • May 8, 2002: A race condition exists that could defeat the kernel's protection of fd slots 0-2 for setuid processes.
  • April 25, 2002: A bug in sudo may allow an attacker to corrupt the heap.
  • April 22, 2002: A local user can gain super-user privileges due to a buffer overflow in sshd(8) if AFS has been configured on the system or if KerberosTgtPassing or AFSTokenPassing has been enabled in the sshd_config file.

• OpenBSD 3.0 Security Advisories

  These are the OpenBSD 3.0 advisories -- all these problems are solved in OpenBSD current. The patch branch for 3.0 is no longer being maintained, you should update your machine.
  • November 14, 2002: A buffer overflow exists in named(8) that could lead to a remote crash or code execution as user named in a chroot jail.
  • November 6, 2002: Incorrect argument checking in the getitimer(2) system call may allow an attacker to crash the system.
  • November 6, 2002: An attacker can bypass smrsh(8)'s restrictions and execute arbitrary commands with the privileges of his own account.
  • October 21, 2002: A buffer overflow can occur in the kadmind(8) daemon, leading to possible remote crash or exploit.
  • October 7, 2002: Incorrect argument checking in the setitimer(2) system call may allow an attacker to write to kernel memory.
  • August 11, 2002: An insufficient boundary check in the select and poll system calls allows an attacker to overwrite kernel memory and execute arbitrary code in kernel context.
  • July 30, 2002: Several remote buffer overflows can occur in the SSL2 server and SSL3 client of the ssl(8) library, as in the ASN.1 parser code in the crypto(3) library, all of them being potentially remotely exploitable.
  • July 29, 2002: A buffer overflow can occur in the xdr_array(3) RPC code, leading to possible remote crash.
  • July 29, 2002: A race condition exists in the pppd(8) daemon which may cause it to alter the file permissions of an arbitrary file.
  • July 5, 2002: Receiving IKE payloads out of sequence can cause isakmpd(8) to crash.
  • June 27, 2002: The kernel would let any user ktrace set[ug]id processes.
  • June 25, 2002: A potential buffer overflow in the DNS resolver has been found.
  • June 24, 2002: All versions of OpenSSH's sshd between 2.3.1 and 3.3 contain an input validation error that can result in an integer overflow and privilege escalation.
  • June 24, 2002: A buffer overflow can occur in the .htaccess parsing code in mod_ssl httpd module, leading to possible remote crash or exploit.
  • June 19, 2002: A buffer overflow can occur during the interpretation of chunked encoding in httpd(8), leading to possible remote crash.
  • May 8, 2002: A race condition exists that could defeat the kernel's protection of fd slots 0-2 for setuid processes.
  • April 25, 2002: A bug in sudo may allow an attacker to corrupt the heap.
  • April 22, 2002: A local user can gain super-user privileges due to a buffer overflow in sshd(8) if AFS has been configured on the system or if KerberosTgtPassing or AFSTokenPassing has been enabled in the sshd_config file.
  • April 11, 2002: The mail(1) was interpreting tilde escapes even when invoked in non-interactive mode. As mail(1) is called as root from cron, this can lead to a local root compromise.
  • March 19, 2002: Under certain conditions, on systems using YP with netgroups in the password database, it is possible for the rexecd(8) and rshd(8) daemons to execute a shell from a password database entry for a different user. Similarly, atrun(8) may change to the wrong home directory when running jobs.
  • March 13, 2002: A potential double free() exists in the zlib library; this is not exploitable on OpenBSD. The kernel also contains a copy of zlib; it is not currently known if the kernel zlib is exploitable.
  • March 8, 2002: An off-by-one check in OpenSSH's channel forwarding code may allow a local user to gain super-user privileges.
  • January 21, 2002: A race condition between the ptrace(2) and execve(2) system calls allows an attacker to modify the memory contents of suid/sgid processes which could lead to compromise of the super-user account.
  • January 17, 2002: There is a security hole in sudo(8) that can be exploited when the Postfix sendmail replacement is installed that may allow an attacker on the local host to gain root privileges.
  • November 28, 2001: An attacker can trick a machine running the lpd daemon into creating new files in the root directory from a machine with remote line printer access.
  • November 13, 2001: The vi.recover script can be abused in such a way as to cause arbitrary zero-length files to be removed.
  • November 13, 2001: pf(4) was incapable of dealing with certain ipv6 icmp packets, resulting in a crash.
  • November 12, 2001: A security hole that may allow an attacker to partially authenticate if -- and only if -- the administrator has enabled KerberosV.

• OpenBSD 2.9 Security Advisories

  These are the OpenBSD 2.9 advisories -- all these problems are solved in OpenBSD current. The patch branch. for 2.9 is no longer being maintained, you should update your machine.
  • June 25, 2002: A potential buffer overflow in the DNS resolver has been found.
  • May 8, 2002: A race condition exists that could defeat the kernel's protection of fd slots 0-2 for setuid processes.
  • April 25, 2002: A bug in sudo may allow an attacker to corrupt the heap.
  • April 22, 2002: A local user can gain super-user privileges due to a buffer overflow in sshd(8) if AFS has been configured on the system or if KerberosTgtPassing or AFSTokenPassing has been enabled in the sshd_config file.
  • April 11, 2002: The mail(1) was interpreting tilde escapes even when invoked in non-interactive mode. As mail(1) is called as root from cron, this can lead to a local root compromise.
  • March 13, 2002: A potential double free() exists in the zlib library; this is not exploitable on OpenBSD. The kernel also contains a copy of zlib; it is not currently known if the kernel zlib is exploitable.
  • March 8, 2002: An off-by-one check in OpenSSH's channel forwarding code may allow a local user to gain super-user privileges.
  • January 21, 2002: A race condition between the ptrace(2) and execve(2) system calls allows an attacker to modify the memory contents of suid/sgid processes which could lead to compromise of the super-user account.
  • January 17, 2002: There is a security hole in sudo(8) that can be exploited when the Postfix sendmail replacement is installed that may allow an attacker on the local host to gain root privileges.
  • November 28, 2001: An attacker can trick a machine running the lpd daemon into creating new files in the root directory from a machine with remote line printer access.
  • November 13, 2001: The vi.recover script can be abused in such a way as to cause arbitrary zero-length files to be removed.
  • September 11, 2001: A security hole exists in uuxqt(8) that may allow an attacker to gain root privileges.
  • August 29, 2001: A security hole exists in lpd(8) that may allow an attacker to gain root privileges if lpd is running.
  • August 21, 2001: A security hole exists in sendmail(8) that may allow an attacker on the local host to gain root privileges.
  • July 30, 2001: A kernel buffer overflow in the NFS code can be used to execute arbitrary code by users with mount privileges (only root by default).
  • June 15, 2001: A race condition in the kernel can lead to local root compromise.
  • June 12, 2001: sshd(8) allows users to delete arbitrary files named "cookies" if X11 forwarding is enabled. X11 forwarding is disabled by default.
  • May 30, 2001: Programs using the fts routines can be tricked into changing into the wrong directory.
  • May 29, 2001: Sendmail signal handlers contain unsafe code, leading to numerous race conditions.

• OpenBSD 2.8 Security Advisories

  These are the OpenBSD 2.8 advisories -- all these problems are solved in OpenBSD current. The patch branch. for 2.8 is no longer being maintained, you should update your machine.
  • September 11, 2001: A security hole exists in uuxqt(8) that may allow an attacker to gain root privileges.
  • August 29, 2001: A security hole exists in lpd(8) that may allow an attacker to gain root privileges if lpd is running.
  • August 21, 2001: A security hole exists in sendmail(8) that may allow an attacker on the local host to gain root privileges.
  • June 15, 2001: A race condition in the kernel can lead to local root compromise.
  • May 30, 2001: Programs using the fts routines can be tricked into changing into the wrong directory.
  • May 29, 2001: Sendmail signal handlers contain unsafe code, leading to numerous race conditions.
  • Apr 23, 2001: IPF contains a serious bug with its handling of fragment caching.
  • Apr 23, 2001: ftpd(8) contains a potential DoS relating to glob(3).
  • Apr 10, 2001: The glob(3) library call contains multiple buffer overflows.
  • Mar 18, 2001: The readline library creates history files with permissive modes based on the user's umask.
  • Mar 2, 2001: Insufficient checks in the IPSEC AH IPv4 option handling code can lead to a buffer overrun in the kernel.
  • Mar 2, 2001: The USER_LDT kernel option allows an attacker to gain access to privileged areas of kernel memory.
  • Feb 22, 2001: a non-exploitable buffer overflow was fixed in sudo(8).
  • Jan 29, 2001: merge named(8) with ISC BIND 4.9.8-REL, which fixes some buffer vulnerabilities.
  • Jan 22, 2001: rnd(4) did not use all of its input when written to.
  • Dec 22, 2000: xlock(1)'s authentication was re-done to authenticate via a named pipe. (patch and new xlock binaries included).
  • Dec 18, 2000: Procfs contains numerous overflows. Procfs is not used by default in OpenBSD. (patch included).
  • Dec 10, 2000: Another problem exists in KerberosIV libraries (patch included).
  • Dec 7, 2000: A set of problems in KerberosIV exist (patch included).
  • Dec 4, 2000: A single-byte buffer overflow exists in ftpd (patch included).

• OpenBSD 2.7 Security Advisories

  These are the OpenBSD 2.7 advisories -- all these problems are solved in OpenBSD current. Obviously, all the OpenBSD 2.6 advisories listed below are fixed in OpenBSD 2.7.
  • Mar 18, 2001: The readline library creates history files with permissive modes based on the user's umask.
  • Feb 22, 2001: a buffer overflow was fixed in sudo(8).
  • Dec 4, 2000: A single-byte buffer overflow exists in ftpd (patch included).
  • Nov 10, 2000: Hostile servers can force OpenSSH clients to do agent or X11 forwarding. (patch included)
  • Oct 26, 2000: X11 libraries have 2 potential overflows in xtrans code. (patch included)
  • Oct 18, 2000: Apache mod_rewrite and mod_vhost_alias modules could expose files on the server in certain configurations if used. (patch included)
  • Oct 10, 2000: The telnet daemon does not strip out the TERMINFO, TERMINFO_DIRS, TERMPATH and TERMCAP environment variables as it should. (patch included)
  • Oct 6, 2000: There are printf-style format string bugs in several privileged programs. (patch included)
  • Oct 6, 2000: libcurses honored terminal descriptions in the $HOME/.terminfo directory as well as in the TERMCAP environment variable for setuid and setgid applications. (patch included)
  • Oct 6, 2000: A format string vulnerability exists in talkd(8). (patch included)
  • Oct 3, 2000: A format string vulnerability exists in the pw_error() function of the libutil library, yielding localhost root through chpass(1). (patch included)
  • Sep 18, 2000: Bad ESP/AH packets could cause a crash under certain conditions. (patch included)
  • Aug 16, 2000: A format string vulnerability (localhost root) exists in xlock(1). (patch included)
  • July 14, 2000: Various bugs found in X11 libraries have various side effects, almost completely denial of service in OpenBSD. (patch included)
  • July 5, 2000: Just like pretty much all the other unix ftp daemons on the planet, ftpd had a remote root hole in it. Luckily, ftpd was not enabled by default. The problem exists if anonymous ftp is enabled. (patch included)
  • July 5, 2000: Mopd, very rarely used, contained some buffer overflows. (patch included)
  • June 28, 2000: libedit would check for a .editrc file in the current directory. Not known to be a real security issue, but a patch is available anyways. (patch included)
  • June 24, 2000: A serious bug in dhclient(8) could allow strings from a malicious dhcp server to be executed in the shell as root. (patch included)
  • June 9, 2000: A serious bug in isakmpd(8) policy handling wherein policy verification could be completely bypassed in isakmpd. (patch included)
  • June 6, 2000: The non-default flag UseLogin in /etc/sshd_config is broken, should not be used, and results in security problems on other operating systems.
  • May 26, 2000: The bridge(4) learning flag may be bypassed. (patch included)
  • May 25, 2000: Improper use of ipf keep-state rules can result in firewall rules being bypassed. (patch included)

• OpenBSD 2.6 Security Advisories

  These are the OpenBSD 2.6 advisories -- all these problems are solved in OpenBSD current. Obviously, all the OpenBSD 2.5 advisories listed below are fixed in OpenBSD 2.6.
  • May 26, 2000: SYSV semaphore support contained an undocumented system call which could wedge semaphore-using processes from exiting. (patch included)
  • May 25, 2000: Improper use of ipf keep-state rules can result in firewall rules being bypassed. (patch included)
  • May 25, 2000: xlockmore has a bug which a localhost attacker can use to gain access to the encrypted root password hash (which is normally encoded using blowfish (see crypt(3)) (patch included).
  • Jan 20, 2000: Systems running with procfs enabled and mounted are vulnerable to a very tricky exploit. procfs is not mounted by default. (patch included).
  • Dec 4, 1999: Sendmail permitted any user to cause an aliases file wrap, thus exposing the system to a race where the aliases file did not exist. (patch included).
  • Dec 4, 1999: Various bugs in poll(2) may cause a kernel crash.
  • Dec 2, 1999: A buffer overflow in the RSAREF code included in the USA version of libssl, is possibly exploitable in httpd, ssh, or isakmpd, if SSL/RSA features are enabled. (patch included).
    Update: Turns out that this was not exploitable in any of the software included in OpenBSD 2.6.
  • Nov 9, 1999: Any user could change interface media configurations, resulting in a localhost denial of service attack. (patch included).

• OpenBSD 2.5 Security Advisories

  These are the OpenBSD 2.5 advisories -- all these problems are solved in OpenBSD current. Obviously, all the OpenBSD 2.4 advisories listed below are fixed in OpenBSD 2.5.
  • Aug 30, 1999: In cron(8), make sure argv[] is NULL terminated in the fake popen() and run sendmail as the user, not as root. (patch included).
  • Aug 12, 1999: The procfs and fdescfs filesystems had an overrun in their handling of uio_offset in their readdir() routines. (These filesystems are not enabled by default). (patch included).
  • Aug 9, 1999: Stop profiling (see profil(2)) when we execve() a new process. (patch included).
  • Aug 6, 1999: Packets that should have been handled by IPsec may be transmitted as cleartext. PF_KEY SA expirations may leak kernel resources. (patch included).
  • Aug 5, 1999: In /etc/rc, use mktemp(1) for motd re-writing and change the find(1) to use -execdir (patch included).
  • Jul 30, 1999: Do not permit regular users to chflags(2) or fchflags(2) on character or block devices which they may currently be the owner of (patch included).
  • Jul 27, 1999: Cause groff(1) to be invoked with the -S flag, when called by nroff(1) (patch included).

• OpenBSD 2.4 Security Advisories

  These are the OpenBSD 2.4 advisories -- all these problems are solved in OpenBSD current. Obviously, all the OpenBSD 2.3 advisories listed below are fixed in OpenBSD 2.4.
  • Mar 22, 1999: The nfds argument for poll(2) needs to be constrained, to avoid kvm starvation (patch included).
  • Mar 21, 1999: A change in TSS handling stops another kernel crash case caused by the crashme program (patch included).
  • Feb 25, 1999: An unbounded increment on the nlink value in FFS and EXT2FS filesystems can cause a system crash. (patch included).
  • Feb 23, 1999: Yet another buffer overflow existed in ping(8). (patch included).
  • Feb 19, 1999: ipintr() had a race in use of the ipq, which could permit an attacker to cause a crash. (patch included).
  • Feb 17, 1999: A race condition in the kernel between accept(2) and select(2) could permit an attacker to hang sockets from remote. (patch included).
  • Feb 17, 1999: IP fragment assembly can bog the machine excessively and cause problems. (patch included).
  • Feb 12, 1999: i386 T_TRCTRAP handling and DDB interacted to possibly cause a crash. (patch included).
  • Feb 11, 1999: TCP/IP RST handling was sloppy. (patch included).
  • Nov 27, 1998: There is a remotely exploitable problem in bootpd(8). (patch included).
  • Nov 19, 1998: There is a possibly locally exploitable problem relating to environment variables in termcap and curses. (patch included).
  • Nov 13, 1998: There is a remote machine lockup bug in the TCP decoding kernel. (patch included).

• OpenBSD 2.3 Security Advisories

  These are the OpenBSD 2.3 advisories -- all these problems are solved in OpenBSD current. Obviously, all the OpenBSD 2.2 advisories listed below are fixed in OpenBSD 2.3.
  • Nov 27, 1998: There is a remotely exploitable problem in bootpd(8). (patch included).
  • Nov 13, 1998: There is a remote machine lockup bug in the TCP decoding kernel. (patch included).
  • August 31, 1998: A benign looking resolver buffer overflow bug was re-introduced accidentally (patches included).
  • Aug 2, 1998: chpass(1) has a file descriptor leak which allows an attacker to modify /etc/master.passwd.
  • July 15, 1998: Inetd had a file descriptor leak.
  • Jul 2, 1998: setuid and setgid processes should not be executed with fd slots 0, 1, or 2 free. (patch included).
  • June 6, 1998: Further problems with the X libraries (patches included).
  • May 17, 1998: kill(2) of setuid/setgid target processes too permissive (4th revision patch included).
  • May 11, 1998: mmap() permits partial bypassing of immutable and append-only file flags. (patch included).
  • May 5, 1998: Incorrect handling of IPSEC packets if IPSEC is enabled (patch included).
  • May 1, 1998: Buffer overflow in xterm and Xaw (CERT advisory VB-98.04) (patch included).

• OpenBSD 2.2 Security Advisories

  These are the OpenBSD 2.2 advisories. All these problems are solved in OpenBSD 2.3. Some of these problems still exist in other operating systems. (The supplied patches are for OpenBSD 2.2; they may or may not work on OpenBSD 2.1).
  • May 5, 1998: Incorrect handling of IPSEC packets if IPSEC is enabled (patch included).
  • May 1, 1998: Buffer overflow in xterm and Xaw (CERT advisory VB-98.04) (patch included).
  • Apr 22, 1998: Buffer overflow in uucpd (patch included).
  • Apr 22, 1998: Buffer mismanagement in lprm (patch included).
  • Mar 31, 1998: Overflow in ping -R (patch included).
  • Mar 30, 1998: Overflow in named fake-iquery (patch included).
  • Mar 2, 1998: Accidental NFS filesystem export (patch included).
  • Feb 26, 1998: Read-write mmap() flaw. Revision 3 of the patch is available here
  • Feb 19, 1998: Sourcerouted Packet Acceptance. A patch is available here.
  • Feb 13, 1998: Setuid coredump & Ruserok() flaw (patch included).
  • Feb 9, 1998: MIPS ld.so flaw (patch included).

• OpenBSD 2.1 Security Advisories

  These are the OpenBSD 2.1 advisories. All these problems are solved in OpenBSD 2.2. Some of these problems still exist in other operating systems. (If you are running OpenBSD 2.1, we would strongly recommend an upgrade to the newest release, as this patch list only attempts at fixing the most important security problems. In particular, OpenBSD 2.2 fixes numerous localhost security problems. Many of those problems were solved in ways which make it hard for us to provide patches).
  • Sep 15, 1997: Deviant Signals (patch included)
  • Aug 2, 1997: Rfork() system call flaw (patch included)
  • Jun 24, 1997: Procfs flaws (patch included)

• OpenBSD 2.0 Security Advisories

  These are the OpenBSD 2.0 advisories. All these problems are solved in OpenBSD 2.1. Some of these problems still exist in other operating systems. (If you are running OpenBSD 2.0, we commend you for being there back in the old days!, but you're really missing out if you don't install a new version!)
  • April 22, 1997: Predictable IDs in the resolver (patch included)
  • Many others... if people can hunt them down, please let me know and we'll put them up here.

• Watching our Changes

  Since we take a proactive stance with security, we are continually finding and fixing new security problems. Not all of these problems get widely reported because (as stated earlier) many of them are not confirmed to be exploitable; many simple bugs we fix do turn out to have security consequences we could not predict. We do not have the time resources to make these changes available in the above format.

  Thus there are usually minor security fixes in the current source code beyond the previous major OpenBSD release. We make a limited guarantee that these problems are of minimal impact and unproven exploitability. If we discover that a problem definitely matters for security, patches will show up here VERY quickly.

  People who are really concerned with security can do a number of things:

  • If you understand security issues, watch our source-changes mailing list and keep an eye out for things which appear security related. Since exploitability is not proven for many of the fixes we make, do not expect the relevant commit message to say "SECURITY FIX!". If a problem is proven and serious, a patch will be available here very shortly after.
  • In addition to source changes, you can watch our security-announce mailing list which will notify you for every security related item that the OpenBSD team deems as a possible threat, and instruct you on how to patch the problem.
  • Track our current source code tree, and teach yourself how to do a complete system build from time to time (read /usr/src/Makefile carefully). Users can make the assumption that the current source tree always has stronger security than the previous release. However, building your own system from source code is not trivial; it is nearly 600MB of source code, and problems do occur as we transition between major releases.
  • Install a binary snapshot for your architecture, which are made available fairly often. For instance, an i386 snapshot is typically made available weekly.

• Reporting problems

  If you find a new security problem, you can mail it to deraadt@openbsd.org.
  If you wish to PGP encode it (but please only do so if privacy is very urgent, since it is inconvenient) use this pgp key.

• Further Reading

  A number of papers have been written by OpenBSD team members, about security related changes they have done in OpenBSD. The postscript versions of these documents are available as follows.

  • A Future-Adaptable Password Scheme.
    Usenix 1999, by Niels Provos, David Mazieres.
    paper and slides.

  • Cryptography in OpenBSD: An Overview.
    Usenix 1999, by Theo de Raadt, Niklas Hallqvist, Artur Grabowski, Angelos D. Keromytis, Niels Provos.
    paper and slides.

  • strlcpy and strlcat -- consistent, safe, string copy and concatenation.
    Usenix 1999, by Todd C. Miller, Theo de Raadt.
    paper and slides.

  • Dealing with Public Ethernet Jacks-Switches, Gateways, and Authentication.
    LISA 1999, by Bob Beck.
    paper and slides.

  • Encrypting Virtual Memory
    Usenix Security 2000, Niels Provos.
    paper and slides.